Why I'm getting incorrect syntax near "Letter"?

Question

I'm trying to ADD new car details to the system. I want to add to the varchar values for the CarId. In the database type of the carId is varchar.

This is my code:

private void btnAddCar_Click(object sender, EventArgs e){
if (txtCarId.Text == "" || txtModel.Text == "" || txtColor.Text == "" || txtFuelType.Text == "" || txtPrice.Text == "")
            {
                MessageBox.Show("Missing Information");
            }
            else
            {
                try
                {
                    Con.Open();
                    string query = "insert into CAR(CarID,Model,Color,FuelType,Available,Price) values(" + txtCarId.Text + ",'" + txtModel.Text + "','" + txtColor.Text + "','"+txtFuelType.Text + "','"+cmbBoxAvailable.SelectedItem.ToString()+"',"+txtPrice.Text+")";
                    SqlCommand cmd = new SqlCommand(query, Con);
                    cmd.ExecuteNonQuery();
                    MessageBox.Show("Car Successfully Added");
                    Con.Close();
                    populate();
                }
                catch (Exception myEx)
                {
                    MessageBox.Show(myEx.Message);
                }
            }
        }

But when I input values to the CarId textBox, an exception occurs: "Invalid Column name", Incorrect Syntax near"Letter" enter image description here

Answer 1

I'm going to make an attempt at fixing your code and hope it solves your issue or at least makes it clearer what is going wrong. Here is the new code:

private void btnAddCar_Click(object sender, EventArgs e)
{
    if (txtCarId.Text == "" || txtModel.Text == "" || txtColor.Text == "" || txtFuelType.Text == "" || txtPrice.Text == "")
    {
        MessageBox.Show("Missing Information");
    }
    else
    {
        try
        {
            using (var con = new SqlConnection(<your connectionstring goes here>)
            {
                con.Open();
                string query = "INSERT INTO CAR(CarID,Model,Color,FuelType,Available,Price) VALUES(@CarID,@Model,@Color,@FuelType,@Available,@Price)";
                using (var cmd = new SqlCommand(query, con))
                {
                    cmd.Parameters.Add("@CarID").Value = txtModel.Text;
                    cmd.Parameters.Add("@Model").Value = txtModel.Text;
                    cmd.Parameters.Add("@Color").Value = txtColor.Text;
                    cmd.Parameters.Add("@FuelType").Value = txtFuelType.Text;
                    cmd.Parameters.Add("@Available").Value = cmbBoxAvailable.SelectedItem.ToString();
                    cmd.Parameters.Add("@Price").Value = txtPrice.Text;
                    cmd.ExecuteNonQuery();
                    MessageBox.Show("Car Successfully Added");
                }
                populate();
            }
        }
        catch (Exception myEx)
        {
            MessageBox.Show(myEx.Message);
        }
    }
}

So, the SqlConnection is now local and wrapped in a using pattern, so it will be closed and disposed automatically. The same goes for the SqlCommand.

The query is using parameters, so that Sql Injection is prevented and you don't have to think about the database types. That's not quite true, since I assume all database fields are strings, that's highly unlikely, but you haven't specified otherwise. The fields that are not strings, you will have to convert to the right type before setting the value of the parameter.

In real life you would put all the database stuff in a data layer and only deal with the user interface here, but I left that for yourself to sort out.

Also you shouldn't catch Exception, but the Exception subtypes that are likely to occur.